Security Scans Indicate HttpOnly Attribute Not Set for XSRF-TOKEN Cookies

Published: 23 Nov 2015Last Modified Date: 07 Jun 2017

Issue

When performing a security scan of the computer running Tableau Server, the scan results might state that XSRF-TOKEN cookies for the site do not have the HttpOnly attribute set.

Environment

Tableau Server

Resolution

No action necessary, this behavior is by design.

Cause

​For protection, the session_id cookie has HttpOnly in place. Authentication cannot be completed with the XSRF-TOKEN alone and is successful only when XSRF-TOKEN is paired with the protected session_id cookie.